From 495677c360836057bdfccfc3b65f2e35893dc0c2 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Sun, 7 Oct 2012 16:45:12 -0400 Subject: [PATCH] CVE-2012-3515 VT100 emulation vulnerability (bz #854600, bz #851252) --- ...heck-whenever-changing-the-cursor-du.patch | 133 ++++++++++++++++++ qemu.spec | 8 +- 2 files changed, 140 insertions(+), 1 deletion(-) create mode 100644 0244-console-bounds-check-whenever-changing-the-cursor-du.patch diff --git a/0244-console-bounds-check-whenever-changing-the-cursor-du.patch b/0244-console-bounds-check-whenever-changing-the-cursor-du.patch new file mode 100644 index 0000000..1e82ffd --- /dev/null +++ b/0244-console-bounds-check-whenever-changing-the-cursor-du.patch @@ -0,0 +1,133 @@ +From 840031ac0f74c51622490bb72e6671f7e35b95ff Mon Sep 17 00:00:00 2001 +Message-Id: <840031ac0f74c51622490bb72e6671f7e35b95ff.1349642201.git.crobinso@redhat.com> +From: Ian Campbell +Date: Tue, 4 Sep 2012 10:26:09 -0500 +Subject: [PATCH] console: bounds check whenever changing the cursor due to an + escape code +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is XSA-17 / CVE-2012-3515 + +Signed-off-by: Ian Campbell +Signed-off-by: Anthony Liguori +(cherry picked from commit 3eea5498ca501922520b3447ba94815bfc109743) + +[AF: Resolves BNC#777084] +Signed-off-by: Andreas Färber +Signed-off-by: Cole Robinson +--- + console.c | 57 ++++++++++++++++++++++++++++----------------------------- + 1 file changed, 28 insertions(+), 29 deletions(-) + +diff --git a/console.c b/console.c +index 07c82b8..f9eb5a1 100644 +--- a/console.c ++++ b/console.c +@@ -833,6 +833,26 @@ static void console_clear_xy(TextConsole *s, int x, int y) + update_xy(s, x, y); + } + ++/* set cursor, checking bounds */ ++static void set_cursor(TextConsole *s, int x, int y) ++{ ++ if (x < 0) { ++ x = 0; ++ } ++ if (y < 0) { ++ y = 0; ++ } ++ if (y >= s->height) { ++ y = s->height - 1; ++ } ++ if (x >= s->width) { ++ x = s->width - 1; ++ } ++ ++ s->x = x; ++ s->y = y; ++} ++ + static void console_putchar(TextConsole *s, int ch) + { + TextCell *c; +@@ -904,7 +924,8 @@ static void console_putchar(TextConsole *s, int ch) + s->esc_params[s->nb_esc_params] * 10 + ch - '0'; + } + } else { +- s->nb_esc_params++; ++ if (s->nb_esc_params < MAX_ESC_PARAMS) ++ s->nb_esc_params++; + if (ch == ';') + break; + #ifdef DEBUG_CONSOLE +@@ -918,59 +939,37 @@ static void console_putchar(TextConsole *s, int ch) + if (s->esc_params[0] == 0) { + s->esc_params[0] = 1; + } +- s->y -= s->esc_params[0]; +- if (s->y < 0) { +- s->y = 0; +- } ++ set_cursor(s, s->x, s->y - s->esc_params[0]); + break; + case 'B': + /* move cursor down */ + if (s->esc_params[0] == 0) { + s->esc_params[0] = 1; + } +- s->y += s->esc_params[0]; +- if (s->y >= s->height) { +- s->y = s->height - 1; +- } ++ set_cursor(s, s->x, s->y + s->esc_params[0]); + break; + case 'C': + /* move cursor right */ + if (s->esc_params[0] == 0) { + s->esc_params[0] = 1; + } +- s->x += s->esc_params[0]; +- if (s->x >= s->width) { +- s->x = s->width - 1; +- } ++ set_cursor(s, s->x + s->esc_params[0], s->y); + break; + case 'D': + /* move cursor left */ + if (s->esc_params[0] == 0) { + s->esc_params[0] = 1; + } +- s->x -= s->esc_params[0]; +- if (s->x < 0) { +- s->x = 0; +- } ++ set_cursor(s, s->x - s->esc_params[0], s->y); + break; + case 'G': + /* move cursor to column */ +- s->x = s->esc_params[0] - 1; +- if (s->x < 0) { +- s->x = 0; +- } ++ set_cursor(s, s->esc_params[0] - 1, s->y); + break; + case 'f': + case 'H': + /* move cursor to row, column */ +- s->x = s->esc_params[1] - 1; +- if (s->x < 0) { +- s->x = 0; +- } +- s->y = s->esc_params[0] - 1; +- if (s->y < 0) { +- s->y = 0; +- } ++ set_cursor(s, s->esc_params[1] - 1, s->esc_params[0] - 1); + break; + case 'J': + switch (s->esc_params[0]) { +-- +1.7.11.4 + diff --git a/qemu.spec b/qemu.spec index 86918a3..d4de9de 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,7 +1,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 0.15.1 -Release: 7%{?dist} +Release: 8%{?dist} # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD @@ -133,6 +133,8 @@ Patch241: %{name}-fix-systemtap.patch Patch242: %{name}-spice-server-threading.patch # Fix text mode screendumps (bz 819155) Patch243: %{name}-fix-text-mode-screendumps.patch +# CVE-2012-3515 VT100 emulation vulnerability (bz 854600, bz 851252) +Patch244: 0244-console-bounds-check-whenever-changing-the-cursor-du.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel @@ -435,6 +437,7 @@ such as kvm_stat. %patch241 -p1 %patch242 -p1 %patch243 -p1 +%patch244 -p1 %build # By default we build everything, but allow x86 to build a minimal version @@ -823,6 +826,9 @@ fi %{_mandir}/man1/qemu-img.1* %changelog +* Sun Oct 07 2012 Cole Robinson - 0.15.1-8 +- CVE-2012-3515 VT100 emulation vulnerability (bz #854600, bz #851252) + * Sun Jul 29 2012 Cole Robinson - 0.15.1-7 - Pull patches from 0.15 stable - CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz